Science and Tech


Heartbleed Runs Deeper Than We Thought

Researchers have discovered Heartbleed can compromise clients visiting servers and leaves private SSL keys vulnerable.
Posted at 2:48 PM, Apr 12, 2014

By now you’ve probably heard of Heartbleed, the security software vulnerability that’s left a huge chunk of the Internet open to data theft for the last two years.

It’s a flaw in openSSL, the open-source software that many big-name Internet services like Gmail, Yahoo and Instagram use to secure communications with users. Unfortunately for the Internet, researchers are discovering Heartbleed has a few more tricks.

The heartbeat connection, from which heartbleed takes its name, is a back-and-forth ping between a server and client that the two use to make sure their connection stay open. (Via Elastica Inc.)

A team at software company Meldium discovered since the heartbeat sends data both ways, servers running unpatched versions of OpenSSL could be used for reverse-Heartbleed attacks.

Instead of an attacker compromising a server from a client like a web browser or mobile app, “a malicious server can also send bad heartbeat packets to a client that uses OpenSSL and extract data from that client.”

Still, as of Friday morning it seemed there was a point at which the bleeding would stop. Outlets like Re/code called it the first bit of good news to come out of Heartbleed.

Security firmCloudFlare reported it was just short of impossible to use Heartbleed to steal private SSL keys, or the bits of code servers use to tell visitors “yes, I’m secure.”

Cloudflare opened its testing up to the community, just in case. It took one Russian software developer just three hours of sustained pressure via Heartbleed to secure the test site’s private SSL key. (Via Fedor Indutny)

That unlocks more than just bits and pieces of sensitive data like email text or login passwords — with the private key an attacker can impersonate an entire website.

Users wouldn’t see anything amiss: the lock icon and https URL in their browser would tell them their connection is secure, even if a malicious actor is controlling the server and routing all their data elsewhere.

Completely patching that hole requires revoking a website’s SSL certificate. As of Friday, web monitor Netcraft showed the majority of the half-million websites put at risk by Heartbleed still haven’t taken that important step.

This is damage control we web-browsing users generally can’t do ourselves — it’s on website administrators to make sure their security software and certificates are up to date.

What we can do is change our passwords for affected sites ASAP, but only after those sites have updated themselves so they’re no longer vulnerable. Lists like this one on Mashable give a good rundown of which passwords are safe to change.